legalaccountsuspended

DetectingUnusualUserBehaviourtoIdentifyHijackedInternetAuctionsAccountsMarekZachara1andDariuszPalka21AGHUniversityofScienceandTechnology,Polandmzachara@agh.
edu.
pl2PedagogicalUniversityofCracow,Polanddpalka@up.
krakow.
plAbstract.
Forover15yearsauctionserviceshavegrownrapidly,consti-tutingamajorpartofe-commerceworldwide.
Unfortunately,theyalsoprovideopportunitiesforcriminalstodistributeillicitgoods,laundermoneyorcommitothertypesoffraud.
Thiscallsformethodstomiti-gatethisthreat.
Thefollowingpaperdiscussesthemethodsofidentifyingtheaccountsofusersparticipatingininternetauctionsthathavebeenhijacked(takenover)bymaliciousindividualsandutilisedforfraudulentpurposes.
Twoprimarymethodsaredescribed,monitoringusers'activ-ities(e.
g.
thenumberofauctionscreatedovertime)withEWMAandclusteringsimilarauctioncategoriesintogroupsforthepurposeofas-sessingusers'sellersprolesanddetectingtheirsuddenchanges.
Thesemethods,utilisedtogetherallowforreal-timedetectionofsuspiciousac-counts.
Theproposedmodelsarevalidatedonrealdatagatheredfromanauctionwebsite.
Keywords:internetauctions,identitytheft,anomalydetection.
1InternetAuctions-IntroductionSincethelaunchofeBayin1995,internetauctionshavebecomeanimportantpartoftheglobalmarketplace.
AccordingtotheeBayannualreport,theirin-comefromtransactionsamountedto7.
7billiondollarsin2009.
Assuminganaveragefeeforatransactiontobebelow10%,thetotalsalesthrougheBaywouldamounttoaround100billiondollars,comparedto135billiondollarsoftotale-commerceretailsalesintheUS[19]duringthesameyear.
TherearecertainlyotherauctionservicesbesideeBay,butevenconsideringonlythenum-bersrelatedtoeBay(whichiscertainlythelargestone),theimportanceofthistransactionmediumisobvious.
Oneoftheprimaryreasonsforthesuccessofauctionservicesisthelowcostofentry.
Apersondoesnotneedanyspecictoolsnorformalitiestostartsellingtheirproducts(orinformationservices).
Thisresultsinalargenumberofbothsellersandbuyersregisteredwithauctionsites.
Alargeuser-baseofThisworkispartiallysupportedbyNCBiRgrant0021/R/ID2.
G.
Quirchmayretal.
(Eds.
):CD-ARES2012,LNCS7465,pp.
534–546,2012.
cIFIPInternationalFederationforInformationProcessing2012DetectingUnusualUserBehaviour535thesellersmeansstatisticallyhighchancesofuserswithweakpasswordsorotherwisevulnerabletohackingmethods.
Ahugeamountofbuyers,ontheotherhand,provideanexcellentopportunitytondthoseinterestedinillicitgoodsorsusceptibletovariousscammethods.
Asaresult,auctionsystemsareanimportantmediumforcriminals,grantingthemmeansofexpandingtheirillegalactivities,includingfraudand/ortheprovisionofprohibitedgoods.
Leftunmitigated,thiswouldconstituteaseriousthreattopublicsecurity.
Althoughmostreadersareprobablyfamiliarwithhowinternetauctionswork,abriefexplanationwillbeprovidedhereforereferencepurposes.
Apersonwillingtosellanitem,postsitsdescription(oftenwithphotos)andaninitialaskingpriceatanauctionsite.
Otheruserscanviewtheoer,mayaskadditionalquestionsandmayalsobidacertainsumfortheitem.
Auctionsusuallyendafteraspecictime(e.
g.
14days),withtheitemsoldtothehighestbidder.
Theremightbeothertypesofoers(e.
g.
axedprice,multipleitems,etc.
),butinallcasesthetransactionisconcludedbetweentworegisteredusersoftheauctionservice.
Aftereachtransactionthepartieshaveachancetoevaluateitbypostingtheircommentsandratingsoftheotherparty.
Suchratingsforeachuserareusuallyaggregatedintoanoverallreputationrating(e.
g.
apersonwith96positiveand3negative'comments'wouldhavearatingof93).
Thereputationsystem.
i.
e.
themethodofcalculatingthereputationratingandtheactualnumbersarevitaltoanauctionssystem.
Contrarytotraditionalsalesscenario,wherebothpartiesmeetinpersonandthegoodsareexchangedformoneyatthesametime,purchasesmadeovertheinternetusuallytakemuchlonger,withmoneyoftenbeingpaidup-frontandthegoodsdeliveredafterafewdays.
Buyersarethereforelikelytomakethebuyingdecisionbasedontheirtrustthatsellerswillkeeptheirpartofthebargain.
Thistrustislikelytobehigherifalotofotherusershavealreadyconcludedtransactionswiththisparticularseller,andweresatisedwiththem,whichwouldbereectedinthesellersreputationrating.
Similarly,thesellerismorelikelytooere.
g.
aCoDoptiontoabuyerwithagoodreputationstanding.
Althoughthereputationratingisvaluabletoeveryuser,itisvitaltosellers,asitwilldirectlyaecttheirbusinessandprot.
Thereputationsystemandthe'snowballeect'ofanincreasingnumberofbuyersandsellersusingtheauctionsystemsfortheirneedshavemotivatedmanymerchantswhoweresellingtheirproductsviatheirownwebservicetointegratewithanauctionsystemanduseitastheirprimarysaleschannel,resultinginsuchalargevolumeoftradeasmentionedatthebeginningofthearticle.
1.
1Auction-RelatedFraudThevolumeoftransactionsmadeviainternetauctionsmakeitavaluabletargetforcriminalsandabusers.
Accordingto[9],auctionfraudscanbesplitintothreemajorcategories:–Pre-auctionfraud,whichincludesmisrepresentation,thesaleofillegalgoodsortriangulation.
Theformertwoarenotspecictoauctionsore-commerce536M.
ZacharaandD.
Palkaingeneral,whilethelater(triangulation)isthesaleofgoodspurchasedwithstolencreditcardforcash-leavingthefraudsterwithcashandtransferringtheriskofseizuretotherecipient[9].
–In-auctionfraud,whichisusedtodisruptcompetitors'sales(e.
g.
byplacingahighbidviaafraudulentaccountwithnointentionofbuyingtheitem,orbyinatingthepricebybiddingonone'sownitems.
–Post-auctionfraud,consistingmainlyofnon-deliveryofthepurchaseditem,thedeliveryofabrokenorinferioritemorstackingthebuyerwithadditionalfees.
Moredetailsaboutauctionfraudcanbefoundin[11]and[9].
However,ofallthepossibleoptions,themostprotabletoafraudsteraretheoneswhichincludeup-frontpaymentandnon-deliveryoftheitem,orthedeliveryofaniteminferiortotheoeredone.
Unfortunatelyforafraudster,thereputationsystemdoesnotal-lowthisscenariotobeexploitedforlong,asnegativefeedbackfromthebuyerswillsoonwarnotherusersandeectivelypreventthefraudsterfromusinghis/herac-countwiththeauctionsystemforthispurpose.
Ontheotherhand,havingaccesstoanaccountwithahighreputationallowsforalargernumbersofbuyerstobeattractedtothefraudster'soer,allowinghim/hertogathermoremoneybeforenegativefeedbackstartspouringin.
Developingthemeanstoabuseorcircum-ventthereputationsystemisthereforevitaltoafraudster.
Itisabroadsubjectdiscussede.
g.
in[18],butcanbenarroweddowntotwomostoftenusedmethods:–Buildingupafraudulentreputation,oftenutilizinga'SybilAttack'[2]wherepositivefeedbackforaspecicaccountisgeneratedviadummyaccountscontrolledbythefraudster–Gainingaccesstoalegitimateaccount,andexploitingitforownpurposes(e.
g.
fraudulentoers/sales),leavingtheoriginalaccountownerwithun-happycustomersand,potentially,alegalstruggle.
Ofthesetwomethods,therstoneismoredeterministic,althoughitrequiresacertainamountofeortandtimetoreachthestagewhenthefraudstercanexecutehis/herschema,afterwhichtheaccountisbasicallyunusableandanewoneneedstobeprepared.
Thesecondmethodislessreliable,asitdependsoncertaincircumstances,oftenoutsidethefraudster'scontrol(e.
g.
carelessnessofacertainuserortheauctionsystemoperator),butprovidesthefraudsterwithanaccountthatcanbeutilizedonthespotandwithpossiblelessriskastheoriginaluserwillbetheprimarytargetoftheclaims.
1.
2ExistingFraudPreventionandDetectionTechniquesItwasnotlongaftereBaylaunchedthatfraudstersnoticedthenewoptionsitprovided.
Aninitialanalysisofauctionfraudanditspreventionappearedasearlyas2000[3].
By2006,onlineauctionfraudwasthemostoenreportedoenceinAustralia,accordingtoagovernmentreport[21].
Sofar,mostoftheresearchfocushasbeenappliedtoidentifyingthefraudulentaccountsthatwereusedtobuildupareputationscorebasedonthedistribu-tionofaccumulatedfeedbackintime[4],decisiontrees[5]orbeliefpropagationDetectingUnusualUserBehaviour537andMarkovrandomelds[25].
Also,thereareproposalstoutilizenon-technicalmethods(i.
e.
socialgroupsandtheircollectiveexpertise)tocombatsomespe-cicformsofauctionfraud[7].
Thereis,however,substantiallylessinterestinidentifyinghackedorstolenauctionaccounts.
Althoughtheissue(alsonamedan'identitytheft')isveryimportanttonancialindustry,asoutlinedin[17],[23],thereislittlespecicresearchrelatedtoauctionaccounts,eventhough,aswillbedemonstratedinthisarticle,thisspecicenvironmentprovidesopportunitiestoutilizevarioustechniquesbasedonspecicallyavailabledata.
2AnOverviewoftheProposedMethodInthispaperweproposeamulti-modelapproachtodetectinganomaliesinthebehaviourofsellersparticipatingintheinternetauctions.
Foreachselleradif-ferentbehaviourmodeliscreated,whichisnextconstantlymatchedagainstthecurrentprole(oersandtransactionsperformed).
Themodelconsistsofanum-beroffeaturesandprocedureswhichareusedtoevaluatetheusers'behaviour.
Theprimarytaskofthemodelistoassignaprobabilityvaluetothecurrentbehaviouroftheseller.
Thisprobabilityvaluereectstheprobabilityoftheoccurrenceofthegivenfeaturevaluewithregardstoanestablishedsellerprole.
Theassumptionisthatfeaturevalueswithasucientlylowprobabilityindicatepotentiallyabnormalbehaviour,whichinturnmybetheresultofanaccounthijackingbyamaliciousindividual.
Basedonthemodeloutputs,theuser'sbehaviourmaybereportedasabnormal.
Thisdecisionisreachedbycalculatinganumberofanomalyscores.
Thecurrentuser'sbehaviourisreportedasanomalousifatleastoneoftheseanomalyscoresisabovethecorrespondingdetectionthreshold.
Thisapproachsharessomeconceptswithintrusiondetectionsystems(IDS)[16],however,itoperatesondierenttypesofdataandbehaviourmodels,asIDSoperatesonthenetworktraclevel-detectinganomaliesinnetworkpackets.
Similarmulti-modelapproachesweresuccessfullyusedfordetectingpotentialattacksonwebapplications[15],[13].
Samplemodelsoftheseller'sbehaviouraredescribedinthefollowingsection.
Therealdataaboutusers'activitiespresentedinthisarticlehavebeengath-eredbytheauthorsbymonitoringPolishlargestauctionservice(allegro.
pl).
Thisserviceconsistentlyhostsover1millionactiveauctionsatanygiventime,andhasanimportantadvantageovereBayfromtheresearchpointofview,asitallowsfortheretrievalofusers'history(pastauctions).
3EWMAoftheUser'sActivityTheproposedmodelisbasedonmeasuringthetotalnumberofitemsoeredforauctioninallcategoriesonanygivenday.
Torestrictthemodelsensitivitytotemporaryuctuationsinthenumberofitemsoereddaily,themodelutilizesanexponentiallyweightedmovingaverage.
Thisaverage(S(t))iscalculatedaccordingtoarecursiveformula:538M.
ZacharaandD.
PalkaS(t)=α·y(t1)+(1α)·S(t1)ift>2y(1)ift=2(1)Where:–tisdiscretetime(thenumberoftheday),inwhichwecalculatetheaveragenumberofauctions;themeaniscalculatedfromtheinitialtimet=2–y(t)isusers'activity(e.
g.
thenumberofitemsoeredbyaseller)onthedayt–αisthesmoothingconstant(lterfactor)Additionally,thevarianceiscalculatedrecursively:V(t)=α·(y(t)S(t1))2+(1α)·V(t1)(2)Where:–V(t)isthevarianceatthemomenttApplyingChebyshev'sinequalityP(|xE(x)|>ε)|y(t)S|)e.
thatthedierencebetweenthevalueofarandomvariablexandE(x)exceedsacertainthresholdε,foranarbitrarydistributionwithvarianceV(x)andmeanE(x).
Theinequalityisveryusefulbecauseitcanbeappliedtovariousarbitrarydistributionswithnitevariance.
Theformula(4)calculatestheprobabilityvalueP(y(t))iftheamountofuser'sactivity(e.
g.
thenumberofitemsputupforauctions)atanygiventimey(t)exceedsthecurrentvalueofS(t).
IfthenumberofitemsissmallerthenorequaltoS(t),itisassumedthatP(y(t))=1.
ThevalueofP(y(t))isthevaluereturnedbythismodel.
Figure1illustratesatypicalscenario,withvaryingbutconsistentuser'sac-tivityovertime.
Althoughtheactivityischangingsubstantially,thevalueofthedV(t)/dtfunctiondoesnotreachsignicantlevels.
Inanotherscenario,illustratedinFig.
2theuser'sactivityincludesasig-nicantpeakatacertaintime(around40thday).
Thisispromptlysignalledasasuspiciousactivitybythechangeinvariationexceedingthevalueof10.
TheproposedmodelprovesalsoitsusefulnessinFig.
3,whenanactivityofaspecicuserisillustrated.
Thisuserapparentlyputsupitemsforsaleinweekly'batches'.
Ascanbeseeninthisgure,themodeldoesnotalertofasuspiciousactivityinthiscase,whichisadesiredoutcome,assuchbehaviourisconsistentandunsurprising.
DetectingUnusualUserBehaviour539024681012010203040506070time(days)y(t)S(t)V(t)-5051015010203040506070dV/dtFig.
1.
Nonsuspiciousactivityofaselecteduser.
Thevaluesofmovingaverage,vari-anceandvariance'sderivativearepresented.
Thevaluescalculatedfor(α=0.
02).
051015202505101520253035404550time(days)y(t)S(t)V(t)-505101505101520253035404550dV/dtFig.
2.
Exampleofsuspiciousactivity(α=0.
02)540M.
ZacharaandD.
Palka024681012051015202530354045time(days)y(t)S(t)V(t)-5051015051015202530354045dV/dtFig.
3.
Insensitivityofthedetectiontoperiodicalactivity(α=0.
02)4'Thematic'CategoryClustersAlthoughtheproposedmodelofuser'sactivityperformsuptotheexpectations,itisusuallybettertohavemultipledetectionsystems(atleasttwo)fortheconrmationofasuspiciouscase.
Anothercriterionofthesuspiciousseller'sbehaviour(whichmightindicateatakeoverofanaccount)isasuddenchangeofthetypesofitemsprovidedbytheseller.
Sinceallauctionservicesallowthesellerstoassigntheoereditemwithacategory(fromaprovidedlist),asuddenchangeinthenumberofitemsoered(ortransactions)percategoriesisapossiblewarningsign.
Forexample,auserwhosofarhassolditemsmostlyinthecategoriesforchildren→toysandbooks→comicssuddenlystartstosellinthecategoryjewelleryformenandjewelleryforwomen.
Inordertodetectsuchchangesintheproleofcategoriesforagivenseller,itisnecessarytoclusterallcategoriesofanauctionserviceintothematicgroups.
By'thematic'wemeangroupsthatarelikelytosharesimilaritemsacrosssev-eralcategories.
Suchclustersarelikelytogrouptogetherthealreadymentionedjewelleryformenandjewelleryforwomenaswellase.
g.
books→guidebooksandcar→manuals.
Thisclusterizationallowstobuildandobservesellers'activityproleswithingiventhematiccategories.
Unfortunately,thehierarchyofcategoriesoeredbyauctionservicesoftendoesnotsuitthispurpose,assimilaritemscanbeoeredindistantcategories(accordingtothehierarchytree).
DetectingUnusualUserBehaviour541Inordertocreateusefulclustersofcategories,theyweregroupedonthebasisofsimilarityofthenamesofitemspresent.
Thisisdoneasfollows:Ingiventimeintervals(onemonthintheexistingimplementation),thenamesofallobjectsoeredinallcategoriesareacquired.
Foreachcategorypairtheprobabilityiscalculatedusingtheformula:s(ca,cb)=ni=1max1jmf(pca(i),pcb(j))n(5)where–nthenumberofauctionsinthecategoryca–mthenumberofauctionsinthecategorycb–pca(i)-thenameoftheobjectwiththenumberandinthecategoryca–pcb(j)-thenameoftheobjectwiththenumberandinthecategorycbnext,thesimilarityfactoriscalculated:f(pca(i),pcb(j))=0iff(pca(i),pcb(j))<0.
5f(pca(i),pcb(j))iff(pca(i),pcb(j))≥0.
5(6)f(pca(i),pcb(j))=1Ldist(pca(i),pcb(j))max(|pca(i)|,|pcb(j)|)(7)where–Ldist(pca(i),pcb(j))-theLevenshteindistancebetwennamepca(i)andpcb(j)–|pca(i)|-size(numberofcharacters)ofnamepca(i)–|pcb(j)|-size(numberofcharacters)ofnamepcb(j)Thesimilarityfshowninequation(6),representsthepercentagedistancebe-tweennames(i.
e.
theminimumnumberofeditsneededtotransformonenameintoanotherdividedbythelengthofthelongestnamemultipliedby100%).
Ifitexceeds50%,thevalueofsimilarityfisassignedthevalueof0tolimittheinuenceonthesimilarityofthecategorys(ca,cb)oftheobjectssignicantlydieringinnames(thesuggestedcutothresholdat50%isarbitrary,buthasproventobeareasonablevalue).
BeforecalculatingtheLevenshteindistance[14]Ldistbetweenthenamesoftheitems,pcaandpcbarenormalized:–all'marketing'marksusedbysellersinordertoattractbuyerssuchas:'#',areremoved–whitespacesandthefollowingsigns",;.
-"areconcatenatedtoasinglespace–alllettersaretransformedtolowercase.
Suchnormalizationofnamesisnecessarytoachieveameaningfuldistancebe-tweenthenames,assellerstendtoutilizenumerouswaysofmodifyingthenamesinordertostandoutwiththeiroers.
Ascanbeobserved,duetothe542M.
ZacharaandD.
PalkawayofdeningthesimilaritySbetweencategories,0≤s(ca,cb)≤1aswellasself-similarityofcategoriess(ca,ca)=1.
Onthebasisofthesimilaritysbetweencategoriesthesymmetricalsimilaritymeasureisdenedas:ssym(ca,cb)=s(ca,cb)+s(cb,ca)2(8)Onthebasisofthesymmetricalsimilaritymeasuressym,anundirectedgraphisbuiltwhichrepresentsthesimilaritybetweencategories.
Inthisgraphthever-ticesrepresentgivenedges,andedgesrepresentthesimilaritybetweengivencat-egories.
Theweightoftheedgesconnectingverticescaandcbequalsssym(ca,cb).
Ifssym(ca,cb)=0,theedgeisdiscarded.
Duringthenextstep,thegraphconstructedundergoesaclusterizationinordertogroupthematicallysimilarcategoriestogether.
Theclusterizational-gorithmusedisarecursivespectralalgorithmdescribedin[12].
Thisalgorithmwaschosenbecauseofitsmanyadvantages,includingitsspeedandthefactthatitcanbesuccessfullyappliedinavarietyofcontexts[1],[8],[20],[22],[10],[24].
Thespecicalgorithmusedinthereferenceimplementationwasbasedon[6]andisdescribedin(Algorithm1).
Algorithm1.
ClusteringofthecategoriesInput:MatrixnxncontainingweightsofundirectedweightedgraphrepresentingcategoriessimilarityOutput:AtreewhoseleavesaretherowindexesofArepresentingclusters1.
InitializeLetR2∈n*nbeadiagonalmatrixwhosediagonalentriesaretherowsumsofAAT2.
ComputeSingularVectorComputethesecondlargestrightsingularvectorvofthematrixATR1Letv=R1v3.
CutSortvcoordinatessothatvi<=vi+1Findthevaluetthatminimizestheconductanceofthecut:(S,T)=({v1,.
.
.
,vt},{vt+1,.
.
.
,vn})LetAS,ATbethesubmatricesofAwhoserowsarethoseinS,T4.
NormalizeAdjusttheselfsimilaritiesA2ii:=A2ii+j∈TA(i)·A(j)ifi∈Sj∈SA(i)·A(j)ifi∈T5.
RecurseRecursesteps2-4onthesubmatricesASandATDetectingUnusualUserBehaviour543Theconductanceofacut(S,V\S)iscalculatedasfollows:cond(S,V\S)=d(S,V\S)min(d(S),d(V\S))(9)where–d(A,B)=i∈A,j∈BA(i)·A(j)–d(A)=d(A,V)–A(i)isi-throwvectorinmatrixATheresultsoftheclusterizationcanbeseeninFig.
4,whichillustrateshowallactivitiesoftwousersreallybelongtooneprimaryspecicclusterofcategories,withsomemarginalactivityinothercategoryclusters.
timecategories024681012quantity(a)UserA,activitytimecategories05101520253035quantity(b)UserA,clusteredtimecategories02468101214quantity(c)UserB,activitytimecategories051015202530quantity(d)UserB,clusteredFig.
4.
IllustrationofUser'sactivity(thequantityofdailytransactions)fortwodif-ferentaccounts.
Thegraphsontherightillustrateactivityaggregatedinto'thematic'clusters.
5DetectingUnusualActivitiesAftertheclusterizationintothematiccategorygroups,theprobabilityofacertainnumberofoersappearinginagivengrouponagivendayiscalcu-lated.
TheprobabilityiscalculatedinthesamewayastheEWMAmodelde-scribedabove.
Theprobabilityofcorrect(nonanomalous)behaviouryieldedby544M.
ZacharaandD.
PalkathismodelP(y(t))isdescribedastheminimumofprobabilitiesinparticularclusters:P(y(t))=min(Pc(y(t)))(10)where–c∈C(setofallclusters)AftercalculatingtheprobabilityofnonanomalousbehaviouratagiventimetusingparticularmodelsexpressedasPm(t),itispossibletocalculatethefollow-ingparameters:anomalyscorew=m∈Mwm·(1Pm)anomalyscoremax=max(1Pm)(11)Therstonerepresentsaweightedsumofanomalousbehaviourcalculatedbyeachmodel,while(1Pm)denotestheprobabilityofanomalousbehaviouraccordingtothemodelm,andwmrepresentstheweightsassociatedwiththismodel.
Thesecondparameterspeciesamaximumprobabilityofanomalousbehaviouryieldedbyallmodels.
Finally,itispossibletoselectthresholdskwandkmaxrespectivelyforcal-culatedanomalyscoresinsuchawaythatafterexceedingthem,thesystemwillreportapossibilityofunauthorizedusageofthesuspiciousaccount.
Thethresholdsneedstobebeadjustedmanuallyinordertominimizethenumberoffalsepositivealertswhilepreservingthesensitivityofthesystemtoanomalousbehaviour.
6ConclusionThemodelsproposedinthispaperfortheassessmentoftheuser'sactivitybe-haviourhaveprovenveryeectiveagainsttheprovidedsetofdata.
Thedatausedforvalidatingthemodelsweregatheredbydailyretrievalofalltheauc-tionsfromtheirwebsiteforaperiodofonemonth.
Therewereseveralmillionsofauctionsretrievedduringthattime.
Unfortunately,duetolegalandprivacyconcerns,wewerenotabletoreceivedataonrealaccountstakenoverbycrimi-nals,sothemodelwasvalidatedwiththedatamanuallyreviewedwhichdeemedtobesuspicious(e.
g.
Fig.
2).
Theclusterizationofthecategorieshasalsoprovedtoyieldextraordinaryresults,withsignicantportionofusershavingmostoftheirtransactionsinjustafew(orevenone)primarycategorygroups.
Interest-ingly,withthetotalnumberofgroupsequaltoapproximatelyaquarterofallcategories,somegroupsconsistedofover200categories,whiletheothersweresingle-membered.
Themostcomputationallyexpensivepartoftheproposedprocessisthegroup-ingofcategories,whichcanfortunatelybedonequiterarely(e.
g.
onceamonth)ando-line.
Otheralgorithmsarelightweightandcaneasilybeutilizedforareal-timemonitoringonanyscaleofusers.
ImplementingsuchsolutionswillnotDetectingUnusualUserBehaviour545eliminatethepossibilityoffraudulentuseofahijackedaccount,butwillatleastgreatlylimitthebenets,asanalertcanberisenveryquicklyandthesuspiciousaccountsuspendedforevaluation.
Ashasbeenmentionedbefore,auctionfraudisaconsiderableaspectofpublicsecurity,therefore,itsmitigationisofinteresttobothauctionserviceprovidersandsecurityforces(e.
g.
police).
Althoughtheproposedmodelprovestobeeective,itcanbefurtherenhancedwithotherdetectionfactors(e.
g.
theassessmentofthevalueofitemsoeredinsteadoftheirnumber).
Thismayfurtherimproveitsabilitytodistinguishanomaliesinusers'behaviour.
References1.
Alpert,C.
,Kahng,A.
,Yao,Z.
:Spectralpartitioning:themoreeigenvectorsthebetter.
DiscreteAppliedMathematics90,3–26(1999)2.
Beranek,L.
:AuditingElectronicAuctionsSystems.
ISACAOnLineJournal4(2010),http://www.
isaca.
org/Journal/Past-Issues/2010/Volume-4/Pages/default.
aspx3.
Boyd,C.
,Mao,W.
:SecurityIssuesforElectronicAuctions.
TechnicalReport,HewlettPackard(2000)4.
Chang,J.
S.
,Chang,W.
H.
:AnEarlyFraudDetectionMechanismforOnlineAuc-tionsBasedonPhasedModeling.
In:ProceedingsofJointConferencesonPervasiveComputing(JCPC),Taipei,pp.
743–748(2009)5.
Chau,D.
,Faloutsos,C.
:FraudDetectioninElectronicAuction.
In:ProceedingsofEWMF2005:EuropeanWebMiningForum,Porto(2005)6.
Cheng,D.
,etal.
:Onarecursivespectralalgorithmforclusterinfrompairwisesimilarities.
MITLCSTechnicalReportMIT-LCS-TR-906(2003)7.
Chua,C.
,Wareham,J.
:FightingInternetAuctionFraud:Anassessmentandpro-posal.
IEEEComputer37(10),31–37(2004)8.
Dhillon,I.
:Co-clusteringdocumentsandwordsusingbipartitespectralgraphpar-titioning.
In:KnowledgeDiscoveryandDataMining,pp.
269–274(2001)9.
Dong,F.
,Shatz,S.
,Zu,H.
:CombatingOnlinein-AuctionFraud:Clues,TechniquesandChallenges.
ComputerScienceReview3(4),245–258(2009)10.
Fowlkes,C.
,etal.
:SpectralGroupingUsingtheNystr¨omMethod.
IEEETransac-tionsonPatternAnalysisandMachineIntelligence26,214–225(2004)11.
Gavish,B.
,Tucci,C.
:ReducingInternetAuctionFraud.
CommunicationsoftheACM51(5),89–97(2008)12.
Kannan,R.
,Vempala,S.
,Vetta,A.
:Onclusterings:good,badandspectral.
In:Proceedingsofthe41stAnnualSymposiumonFoundationsofComputerScience,California,pp.
367–380.
IEEEComputerSociety(2000)13.
Kruegel,C.
,Vigna,G.
,Robertson,W.
:Amulti-modelapproachtothedetectionofweb-basedattacks.
ComputerNetworks48,717–738(2005)14.
Levenshtein,V.
I.
:Binarycodescapableofcorrectingdeletions,insertionsandre-versals.
SovietPhysicsDoklady10,707–710(1966)15.
Palka,D.
,Zachara,M.
:LearningWebApplicationFirewall-BenetsandCaveats.
In:Tjoa,A.
M.
,Quirchmayr,G.
,You,I.
,Xu,L.
,etal.
(eds.
)ARES2011.
LNCS,vol.
6908,pp.
295–308.
Springer,Heidelberg(2011)16.
Pietro,R.
,Mancini,L.
(eds.
):IntrusionDetectionSystems.
Springer(2008)ISBN:978-0-387-77265-3546M.
ZacharaandD.
Palka17.
PuttinganEndtoAccount-HijackingIdentityTheft.
FederalDepositInsuranceCorporation(2004)18.
Reichling,F.
:EectsofReputationMechanismsonFraudPreventionineBayAuctions.
Thesis,StanfordUniversity(2004)19.
QuaterlyRetailE-commerceSales(2009),http://www.
census.
gov/retail/mrts/www/data/pdf/09Q4.
pdf20.
Shi,J.
,Malik,J.
:Normalizedcutsandimagesegmentation.
IEEETransactionsonPatternAnalysisandMachineIntelligence22(8),888–905(2000)21.
Theriskofcriminalexploitationofonlineauctions.
AustralianInstituteofCrimi-nology(2007)22.
Weiss,Y.
:Segmentationusingeigenvectors:aunifyingview.
In:ProceedingsofIEEEInternationalConferenceonComputerVision,pp.
975–982(1999)23.
Wheeler,R.
,Aitken,S.
:Multiplealgorithmsforfrauddetection.
Knowledge-BasedSystems13,93–99(2000)24.
Xiang,T.
,Gong,S.
:Spectralclusteringwitheigenvectorselection.
PatternRecog-nition41(3),1012–1029(2008)25.
Zhang,B.
,Zhou,Y.
,Faloutos,C.
:TowardaComprehensiveModelinInternetAuctionFraudDetection.
In:ProceedingsofHawaiiInternationalConferenceonSystemSciences,pp.
79–87.
IEEEComputerSociety(2008)